The CrackMe challenge was first observed on the ESET CrackMe web page, which looked like the the picture below:

On the web page we can observe that the challenge is being held at Black Hat 2012. The winner will receive free entry into one of the conferences, either Black Hat America or Black Hat Europe, in 2013, plus a thousand dollars.

We can also see the download link where the crackme.exe program can be downloaded. The program is still accessible on their web page, so you can also try to download and crack it.

2. Unpacking the Program

Upon downloading the program crackme.exe, we can normally run it without any problems. The program looks like the picture presented below:

We can see that at first we need to enter the Name and Key 1 for the Key 2 to become available, which must also be filled in correctly.

If we try to run the program with OllyDbg debugger, we can quickly see that our program crackme.exe is encoded. We can see the warning message that Ollydbg presented in the picture below:

This could greatly complicate our debugging, so it’s better to decode the program first before trying to debug it. We could debug the encoded version of the program, but it could present complications, maybe even premature termination of the program.

So the first thing to do is to download a program that is able to detect most commonly used packers or encryptors, the PEiD tool. After opening our crackme.exe program with PEid, we can see what the picture below presents:

We can immediately see that the program is encoded with a standard ultimate packer for executables named UPX. This is an open source packer and can be easily downloaded and installed. When we download and run upx.exe we get the default help page presented in the following section:

C:\Documents and Settings\eleanore\Desktop\upx308w>upx.exe

Ultimate Packer for eXecutables

Copyright (C) 1996 – 2011

UPX 3.08w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:

-1 compress faster -9 compress better

-d decompress -l list compressed file

-t test compressed file -V display version number

-h give more help -L display software license

Options:

-q be quiet -v be verbose

-oFILE write output to ‘FILE’

-f force compression of suspicious files

-k keep backup files

file.. executables to (de)compress

Type ‘upx –help’ for more detailed help.

UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net

It’s clear that we need to use the option -d to decompress the compressed executable. To decompress the executable we must run the following command:

> upx.exe -d -o main.exe crackme.exe

Ultimate Packer for eXecutables

Copyright (C) 1996 – 2011

UPX 3.08w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011

File size Ratio Format Name

——————– —— ———– ———–

2064384 <- 1041920 50.47% win32/pe main.exe

Unpacked 1 file.

The new unpacked executable file is named main.exe and is put into the same directory as crackme.exe. If we run OllyDbg with our new main.exe, the Olly doesn’t complain anymore and starts normally.

3. Conclusion

In this part of the tutorial we’ve looked at the unpacking process of the crackme.exe program. In the next tutorials we’ll try to analyze the first challenge, where we need to enter the right Name and Key 1 value.

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: http://www.proteansec.com/.

Hello Sir Dejan Lukan , just wanna say thank you for this information that you shared. About the Crackme.exe program so that i can join this Challenge to try and crack the program . And also thank you for the step by step tutorial about how to use the Crackme.exe..
Looking forward for the Part 2 of this Article.. God Bless..

This is really great!! thank you for this tutorial..looking forward for the next tutorials..
keep it up ^_^

Dejan Lukan (eleanor)

Thank you all, there will be 9 more series of this crackme challenge – it will be very detailed and I hope you’ll learn a lot from it. It’s good to know that somebody has learned something from the articles – it makes my work meaningful. Thanks again.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam